AT&T 3G MicroCell hacking?

US wireless carriers have started selling femtocells to their customers. A femtocell is a device that essentially acts as a mini cellphone tower. It connects to the user’s broadband connection and their cellphone connects wirelessly just like it would to a regular tower. The call is trunked over the broadband connection and the customer gets a much better signal than they normally would. If the caller leaves range of the femtocell, it will be handed off seamlessly to a normal tower.

Due to broadcasting regulations, users will also be prevented from using the 3G MicroCell in areas where AT&T doesn’t officially do business. For example, it can’t be installed by users in Vermont or North Dakota or in other countries outside the US; this is enforced by GPS tracking in the device.

I hadn’t considered this restriction, but GPS receivers are standard in every femtocell being sold. I became curious about hacking femtocells since GPS devices are pretty much standardized as far as how they communicate. They’re usually sending NMEA messages over a serial connection. You’d just need to spoof that data to make the femtocell believe it’s in a proper location even if you took it to Europe. At least one device designed to spoof NMEA already exists.

I began digging to see how the GPS is actually connected. I found the FCC ID MXF-3GFP980217 in a post on Howard Forums. The FCC application has several documents that you can’t view because their confidential: block diagram, parts list, schematics. The internal photos are unprotected though, one of which appears above.

There doesn’t appear to be anything unusual. You can see the antenna and the related chip in the upper left corner. It’s from the RoyalTek REB-1315LPX family which isn’t unusual. You can see a four pin header in that area too which is probably a serial header with the NMEA data stream. It seems like it would be a matter of verifying the data and then replacing it with your own spoofer then you can take your cell tower wherever you please.

I don’t really like the idea of femtocells. They’re carrier specific, but worst of all there seems to be technology that’s even easier to work with, namely: UMA. UMA is a feature of some T-Mobile phones. It lets you make calls over wifi and will hand off to a cellphone tower if you walk out of range. Yes, it relies on the handset to have UMA specific hardware, but it doesn’t require anything other than a wifi connection, any connection, not a specific device.

If you’re interested in UMA, the BlackBerry 9700 has recently been released. It’s the first 3G T-Mobile device that has UMA.

The only other interesting thing I noticed on the MicroCell was a Xilinx Spartan-3A on the board. It’s not the main processor and is presumably being used as a either a DSP or crypto device.

This entry was posted
on Wednesday, December 2nd, 2009 at 3:14 pm and is filed under Hacks.
You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.

40 Responses to “AT&T 3G MicroCell hacking?”

Did you find a way to hack the 3G MicroCell GPS to spoof your location? I’d love to know more about the possibility of this too. AT&T force me down this path, by failing to provide any bars within my home in one of the biggest cities of the world!

@Daniel, he’s not suggesting spoofing the actual GPS signal, he’s suggesting spoofing the serial representation of what the GPS chip on the board is reporting as the device’s location.

When AT&T bricked my microcell after a week (http://nsayer.blogspot.com/2009/12/3g-microcell-fun-while-it-lasted.html), I contemplated a similar course. The problem with this idea, however, is that not only is the GPS location used to insure that the device is in a correctly licensed area, it’s also used for E-911 location information. If I dial 911 on my phone, I don’t want to get a response from the San Diego fire department.

So what if I buy this in an allowed area in which I need it, then move to an area which it is not allowed? Is there a buy back program? OR am I stuck with this lame piece of equipment I bought for almost $200 bones.

The real problem with the device it the requirement that it HAS to be by a window.The best location for the unit I have in on my rack. It is in the center of my home the closest window is 11 feet away (Att requires no more then 3).

I want to spoof the location now to cheat but so I don;t have to keep moving it to the window and then back again to get the dam thing to work!!!

When trying to add a 3G microcell tower in my daughter’s college dorm we ran into a problem. All devices going through their network need a user name and password and the microcell cannot apparently communicate this.
We tried talking with the college “geek squad” but the had no clue as to what we could do.
Any ideas?

DB, the microcell need to have a phone number associated with an imsi, this imsi number is entered in ATT core network database. because this is a closed loop system the microcell only accept registered phone numbers and they have to be issued from ATT. It would work if your alarm GSM system uses a simcard, this way you might be able to program it to dial your number instead of 911 or security company.

You asked how to make the thing work through a network that requires a username and password to connect – The easiest way to ‘fix’ this is to spoof the MAC address on your computer (this is the hardware address and has nothing to do with apple computers…) to be identical to that of the microcell (or a router that the microcell is connected to). You then authenticate with the username/password, set the MAC adress back to normal on the computer and put the microcell/router in place (on the network) of the computer. The question is how long the authentication is good for, since this is not a practical solution if you need to re-authenticate every, say, 24 hours. In that case you can find a script to run on a modified router, such as the WRT54G(L) that will do the authentication for you.

It sounds to me like spoofing the GPS signal can’t work for long if the spoofed location gets cross-checked against neighboring GSM cell tower locations. Firmware modifications that skip the checking altogether might be the way to go. Unless a user downloadable firmware update is or becomes available to reverse compile, someone inside Cisco would probably need to help out.

i’m having the same problem as andy had, and have tried 3 different 12vdc 1amp adapters but have not been successful: would someone post the part number on the at&t ac power adapter, or equivalent? much appreciated

It would be great if you folks can uncover what is repeatedly happening across the country in different regions with microcell outages. Mine has been down for 3 solid days, and I’ve seen many forum posts stating outages in different regions over the last year, but nobody has posted the resolution to the problem. They obviously have a connecting to the at&t network problem. All top 3 lights are solid on. The 3G light goes from solid to blinking after working with changes to the setup. POR, reset button, direct connect to modem all do not work. There’s obviously more than a hardware element down and not working. Cell towers, GPS, and phone signal over the internet all in sync seems to be more impossible to manage than at&t expected.

I’m interested if anyone has figured out this “hack” too. I travel frequently to P.V. in Mexico and like to be able to use my Microcell and iPhones there. In the meantime, I’ll help by providing the Power Supply adapter from my 3G Microcell (model: DPH151-AT).
————————————
Linear-Switching Power Supply
Model: 3A-153WU12
Input: 100-120V, 50-60Hz, 0.4A
Output: 12V, 1.25A
————————————

I did a little more research on the database dot UL dot com site and found that this model number is registered to the following Chinese manufacturer:

L Hemy – If you want to get nerdy, you could setup another Nic on your daughters pc that you can setup for connection sharing. Essential you would be using your daughther’s PC as a NATed router that has the added benifit of handleing the authentication.

I purchased this Microcell at an estate sale. In order to use it, I need to type the serial
number into AT&T’s website to register the device
so I can configure it. Their website won’t let me
register the device because it’s “already
registered”. I spent an hour on the phone with
AT&T, and talked to their “tier 2” techs, but they
couldn’t (or wouldn’t) help me. They said that
unless the previous user called them on the phone,
there is nothing they could do. They also would
not give me any information as to the name, phone,
or email of the prior registered user
(understandably, for security reasons). I tried
to get them to call the prior user themself, but
they wouldn’t do that either.
Anybody know if theres a way around this?

L Hemy
I would look for an open public WiFi that you can connect to the microcell without continually logging in.

The AT&T Microcell will apparently “remember” a GPS lock for a while. I am 200 feet from a window in my first floor office, and I come in at night periodically to capture a new GPS signal. The first time I did this the Microcell remained active for 2-3 months. Alas, the last time, only 3 days! It seems to reset periodically, especially after a power cycle following a software update. I keep mine on a UPS, and have to haul the UPS outside with it when I need to recapture, since the device needs both powe and an internet connection to lock the GPS. I’m trying to get my business to allow me to pay for pulling a cable with a remote antenna, which should allow a permanent fix.

Hello everybody! I got a used MicroCell however I have the same problem as “Dawn” above. Any ideas to get it unregistered from the previous people?
Thanks!
PS: I urgently need this device, because AT&T has NO SERVICE in my area but I’m stuck on using AT&T because I don’t want to replace my phone, I’ve got a 2 year contract, and I’m on somebody else’s family plan so I don’t have to pay as much.

DL pics. Notice the two little nipples on the real jumpers and the lack of any surface features on the others. Solder the nippy ones together and snip the others.
J16=top one real, bottom two fake
j15=top two real, bottom one fake

The idiots= what is top?

Top is where the the letters are Not upside down. That way you can read j15, j16 right side up.

What about a case where the microcell is in a licensed area but simply cannot reliably establish a GPS signal – would be great to be able to spoof the GPS data for the correct location so that it would do the job it is meant to do in a location where it is perfectly allowed to do so.